Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-8752

Inconsistency in the Cockpit permission error messages

    XMLWordPrintable

    Details

    • Type: Bug Report
    • Status: Closed
    • Priority: L3 - Default
    • Resolution: Fixed
    • Affects Version/s: 7.8.1, 7.9.0-alpha2
    • Fix Version/s: 7.9.0, 7.8.3, 7.9.0-alpha3
    • Component/s: cockpit
    • Labels:

      Description

      1. Scenario:
      • Me, as an user, has only permissions to read a process instance.
      • There exist an variable in a running process instance
      • Me tries to update the variable via cockpit.
      • Cockpit shows me the message Variable :The variable 'test' could not be changed successfully.
      • But in the console I see:
        16-Feb-2018 09:55:56.054 WARNING [http-nio-8080-exec-12] org.camunda.bpm.engine.rest.exception.ProcessEngineExceptionHandler.toResponse org.camunda.bpm.engine.AuthorizationException: The user with id 'john' does not have one of the following permissions: 'UPDATE' permission on resource 'b365d4a0-12f6-11e8-ba9c-0242debfd039' of type 'ProcessInstance' or 'UPDATE_INSTANCE' permission on resource 'Process_1' of type 'ProcessDefinition'
                at org.camunda.bpm.engine.impl.persistence.entity.AuthorizationManager.checkAuthorization(AuthorizationManager.java:232)
                at org.camunda.bpm.engine.impl.persistence.entity.AuthorizationManager.checkAuthorization(AuthorizationManager.java:189)
                at org.camunda.bpm.engine.impl.cfg.auth.AuthorizationCommandChecker.checkUpdateProcessInstance(AuthorizationCommandChecker.java:204)
                at org.camunda.bpm.engine.impl.cmd.SetExecutionVariablesCmd.checkSetExecutionVariables(SetExecutionVariablesCmd.java:64)
                at org.camunda.bpm.engine.impl.cmd.SetExecutionVariablesCmd.getEntity(SetExecutionVariablesCmd.java:46)
                at org.camunda.bpm.engine.impl.cmd.SetExecutionVariablesCmd.getEntity(SetExecutionVariablesCmd.java:29)
                at org.camunda.bpm.engine.impl.cmd.AbstractVariableCmd.execute(AbstractVariableCmd.java:49)
                at org.camunda.bpm.engine.impl.cmd.AbstractPatchVariablesCmd.execute(AbstractPatchVariablesCmd.java:43)
                at org.camunda.bpm.engine.impl.cmd.AbstractPatchVariablesCmd.execute(AbstractPatchVariablesCmd.java:26)
                at org.camunda.bpm.engine.impl.interceptor.CommandExecutorImpl.execute(CommandExecutorImpl.java:24)
                at org.camunda.bpm.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:104)
                at org.camunda.bpm.engine.impl.interceptor.ProcessApplicationContextInterceptor.execute(ProcessApplicationContextInterceptor.java:66)
                at org.camunda.bpm.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:30)
                at org.camunda.bpm.engine.impl.RuntimeServiceImpl.updateVariables(RuntimeServiceImpl.java:410)
                at org.camunda.bpm.engine.impl.RuntimeServiceImpl.updateVariablesLocal(RuntimeServiceImpl.java:405)
                at org.camunda.bpm.engine.rest.sub.runtime.impl.LocalExecutionVariablesResource.updateVariableEntities(LocalExecutionVariablesResource.java:40)
                at org.camunda.bpm.engine.rest.sub.impl.AbstractVariablesResource.modifyVariables(AbstractVariablesResource.java:207)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at java.lang.reflect.Method.invoke(Method.java:498)
                at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
                at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257)
                at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222)
                at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
                at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
                at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
                at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
                at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
                at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
                at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
                at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
                at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
                at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
                at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
                at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
                at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                at org.camunda.bpm.engine.rest.filter.CacheControlFilter.doFilter(CacheControlFilter.java:41)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                at org.camunda.bpm.engine.rest.filter.EmptyBodyFilter.doFilter(EmptyBodyFilter.java:95)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilterSecure(SecurityFilter.java:67)
                at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilter(SecurityFilter.java:51)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:58)
                at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:56)
                at org.camunda.bpm.webapp.impl.security.SecurityActions.runWithAuthentications(SecurityActions.java:40)
                at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:56)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
                at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
                at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
                at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
                at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
                at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
                at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
                at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                at java.lang.Thread.run(Thread.java:748)
        

      If we try to modify the running process instance we see the exception message direct in cockpit.
      Could not apply modification :The user with id 'john' does not have one of the following permissions: 'UPDATE' permission on resource 'b365d4a0-12f6-11e8-ba9c-0242debfd039' of type 'ProcessInstance' or 'UPDATE_INSTANCE' permission on resource 'Process_1' of type 'ProcessDefinition'

      This seems for the user a bit inconsistent.


      1. How to reproduce
      • Run tomcat 7.8.1
      • create the exampleWarProject and deploy it
      • Login as demo
      • Adjust Permissions for sales group:
        • Sales group needs to have access to cockpit
        • On Process definition level they need READ, READ_INSTANCE, READ_HISTORY permission
        • On process instance level they need READ permission
      • start process (with test variable) with Demo user
      • login with john
      • open cockpit and try to update variable
      • message is shown in cockpit and error is printed in the log (server/apache-tomcat-8.0.47/logs/catalina.out)
      • if you try to modify the process instance you get the exception message in cockpit

        Attachments

          Activity

            People

            Assignee:
            michael.schoettes Michael Schoettes
            Reporter:
            christopher.zell Christopher Zell
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: